ninjamiefandomcom-20200214-history
App-ID
Application Identification is at the core of PAN-OS security, QoS, and PBF policies. *'Application '''in PAN terms is a specific program or feature that can be detected, monitored, and blocked if necessary. *Within each policy, you can specify what applications you want to control. *Able to specify individual applications, or group of applications. App-ID even works in these scenarios: *If the application is running on a different port than expected *If the application is being transmitted in an SSL tunnel (the firewall can forward proxy the SSL connection) or if it employs SSHv2. *If the application is going through a HTTP proxy. App-ID uses various methods to determine what exactly is running in the session: *'Protocol decoders''' = looks within a protocol to find another protocol (gmail -> chat) *'Protocol decryption' = Opens up SSH and SSL *'Application signatures' = looks at layer 7 signatures *'Heuristics' = Tries to guess at patterns. used when above methods can not identify the application. App-ID structure in detail #Traffic is first classified based on the IP address and port. #Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics. #If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow. #Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (ex: yahoo messenger used across HTTP). For applications that cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to identify the application. Heuristics tries to guess if the application resembles something bad or nefarious. Once the app is identified, the policy check determines how to treat the applications: Block, allow and can for threats/file transfers/data patterns, or rate them use QoS. Objects -> Applications Application GROUP are static. Applications are manually added and maintained by firewall administrators. Application FILTER '''are dynamic. Applications are filtered by traits such as risk, subcategory, technology, characteristic, ect. *Any new applications that fit into those categories will be automatically added to that dynamic filter. *If you create an Application Filter on a specific criteria, such as subcategory of games, it will include all applications which are defined as a game. Any new games defined by an App-ID signature will automatically be included as part of this filter. '''Intrustion Protection System (IPS) - can be added to a traditional firewall environment to provide a second layer of traffic filtering. Once traffic is processed by the firewall, it is passed to the application IPS for futher analysis, Parent Applications must also be allowed by security policy for the dependent applications to function *EX: Web-browsing (allow/deny) -> Google-Translate-base (allow/deny) 'Blocking Applications' Policies -> Security Policy #Add a security policy rule #Enter the necessary information under General, Source, User, and Destination tabs. Click on the Application tab #Click add -> New Application Filter ##OR go to'' Objects -> Application Filter'' #Name the Application Filter. #Select the desired applications and/or risk levels. Click OK to save and App Filter will show in the security rule. #Leave the Service/URL as "any". Action as "Deny" Application Override An Application Override Policy is used to change the way the firewall classifies network traffic into applications. 'Custom Application Override:' *An Application Override with a Custom Application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. The firewall is forced to handle the session as a regular stateful inspection firewall at Layer-4. **Existing applicaitons such as "Web-browsing" used in app-override, the rule will force all matching traffic into Layer-7 inspection for that specific application. *A rule with a custom application override does NOT pass through any of the URL, threat or anti-virus scanning engines. The scanning engine will be used with an App-override if you use an existing built-in Application such as "web-browsing". **EX: PAN device is classifying traffic as "Unknown-TCP" or "Unknown-UDP". **A custom application override is created and applied to a rule to re-categorize the traffic **The traffic is now properly identified but there is no URL filtering applied to the traffic under that rule; normal behavior. 'Configuring a Custom Application Override '(for Telnet):' *'Frist: create new Application *'Second: Application Override Policy' *'Third: Apply to Security Policy to allow the traffic' #''Object -> Applications -> New'' ##General (tab) ###Name: "Telnet_Override" ###Category: "Networking ###Subcategory: "remote-access" ###technology: "network-protocol" ###Parent App: "none" ###Risk: "1" ##Advanced (tab) ###Default Port -> Add -> "tcp/23" ###ok #''Policies -> Application Override'' ##General (tab): ###Name: "TELNET_OVERRIDE" ###An override must be created for zones the application will traverse. (any/any) ##Protocol/Application (tab) ###Protocol: "TCP" ###Port: "23" ###Application: "Telnet_Override" #This new Application needs to be used in a Security Policy rule to allow the traffic to pass 'RTP issue' For Audio and Video calls, the PAN firewall has a decoder that predicts the sessions for audio and video. If the predicted sessions are opened up for all calls, and if the actual RTP packets fail to merge to the predicted sessions, then the RTP packets will get dropped. For example: After the 2 min mark (120 seconds) or sometimes the 5min mark, the predicted sessions timeout and the RTP packets open up a new session in the PAN session table and the calls go through fine. Solution is to create a custom application + an application override policy.